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file is: 



So, this talk is about files... what are the usual files' categories? 



9 
- 



S / VALID 
X CORRUPTED 






It depends if you're a newbie, a user, a dev, a hacker. 




However, the frontier between valid and corrupted is not straight and clear ! 



Here is a va//dfile... 

f76f5dafdcf0818c457e6ffb50ea61a67196dcd4 *ccc.jpg 

(ok, maybe not a standard file) 



>java -jar ccc.jpg 
Hello World! [Java] 

> 



If you encrypt it with AES... 




... you get a PNG picture. 




.you get a PDF document. 




If you encrypt the original file with AES again, but with a different key. 



i enciypted_AES2.flv - VLC media player 




...you get a Flash Video... 



..that ... oh well, nevermind, I could go on for hours... 



JPG 



JAR 

(ZIP + CLASS) 




>java -jar ccc.jPQ 
Hello World! [Java] 



PDF 



anmatm 



AES 



K. 




AES 



K, 





PNG 



FLV 



So, as you can see, I'm just a normal guy (who likes to play with binary). 



ii 



me@nux:~$ ./mini 
me@nux:~$ echo $? 
42 




0123456789ABCDEF 

00: 7F .E .L .F 01 01 01 

10: 02 00 03 00 01 00 00 00 60 00 00 08 40 00 00 00 
20: 34 00 20 00 01 00 



40:; 01 00 00 00 00 00 00 00 00 00 00 08 00 00 00 08 
50: 70 00 00 00 70 00 00 00 05 00 00 00 



60: BB 2A 00 00 00 B8 01 00 00 00 CD 80 



I also like to explain binary 



— FIELDS 
e ident 



VALUES 



ELF HEADER 

IDENTIFY AS AM ELF TYPE 
SPECIFY THE ARCHITECTURE 



FT M Aft 


0X7F, ELF 


EI CLASS EI DATA 


., ELFCLASS32 1 ELFDATA2LSB 
X i X 


EI VERSION 


jEV_CURRENT 


c _ L ;r c 


2 ET_EXEC 


e mschine 


a EM 386 


p version 


-lEV CURRENT 
X — 


e_entry 


0x8000060 


e_phoff 


0X0000040 


e_ehsize 


0X0034 


e_phentsize 


0x0020 


e_phnum 


0001 


D tvDe 


..PT LOAD 
X 


n n-Pf cpt 


0 


n uaHHr 

w vauui 


oXOHWHoMo 


p_paddr 


0X8000000 


p_f ilesz 


0X0000070 


p_memsz 


0X0000070 


p_flags 


5 PF_R|PF_X 



PROGRAM HEADER 
TABLE 

EXECUTION INFORMATION 



X86 ASSEMBLY EQUIVALENT C CODE 



CODE 



mov ebx., 42 

jjj -__. , 5CJXIT 

int 80h 



return 42; 



pics.corkami.com / prints.corkami.com 



Let's talk about... 



Identification 

How do you identify a cow? 




By its head? 



in practice... 



early filetype 
identifier 



Obvious 

PE\0\0 \x7FELF BPG\xFB 
\x89PNG\x0D\x0A\xlA\x0A 
dex\n035\0 RAR\xla\7\0 BZ 
GIF89a BM RIFF 

Not obvious 

GZip IF 8B 
DPG FF D8 

Not obvious, but 133tsp34k A _ A 

CAFEBABE Dava / universal (old) Mach-0 
DOCF11E0 Office 
FEEDFACE Mach-0 
FEEDFACF Mach-0 (64b) 



Egocentric 

MZ (DOS header) Mark Zbikowski 

PK\3\4 (ZIP) Philip Katz 
BPG\xFB Fabrice Bellard 

Specific logic 

TIFF: 

II Intel (little) endianness 
MM Motorola (big) endianness 
Flash: 

FWS Shockwave Flash (Flat) 
CWS (zlib) compressed 
ZWS LZMA compressed 



"Magic" signatures, enforced at offset 0 



not enforcing signature at offset 0: ZIP, 7z, RAR, HTML 
actuaLLy enforcing signature at offset 0: bzip2^ GZip 



7.5.2 



File Header 



The first line of a PDF file shall be a header consisting of the 5 characters %PDF- followed by a version 
number of the form 1 .N, where N is a digit between 0 and 7. 



3.4.1, "File Header" 

13. Acrobat viewers require only that the header appear somewhere within 



the first 1024 bytes of the file. 



File formats not enforcing signature at offset 0 
(ZIP is used in many formats: APK, ODT, DOCX, JAR...) 



V 



file 1 Local File Header 1 
<file name> 
<file data> 

file N Local File Header N 
<file name> 
<file data> 



Central Directory 1: 
relative offset 1 
<file name> 



start 



Central Directory N: 
relative offset N 
<file name> 



End of Central Directory: 
offset 




last disk 



ZIP actually enforces "finishing" near the end of the file. 



TAR: Tape Archive 

Disk images: ISO, Master Boot Record 
TGA (image) 
(Console) roms 



Hardware-bound formats: code/data at offset 0 
'header' often (optionally) later in the memory space 



a good magic signature: 

• enforced at offset 0 

• unique 

no magic no excuse 



Another common 
yet important property 

(useful for abuses) 



It's a complete cow (you can see its whole body), with something next: 
appending something doesn't invalidate the start. 



5 



4 




1 



Remember: 
there's nothing to parse 
after the terminator. 




formats not enforced at offset 0 
+ tolerating appended data 

= polyglots by concatenation 



SB a JAR JAR BINK polyglot 



>jaua -jar bink.jar 
Hello Worldf 

>unzip b ink. jar gungan.jar 
Archive: bink.jar 

warning [bink.jar]: 42732 extra bytes at beginning or uithin zipfile 
<attenpting to process anyway) 
inflating: gungan.jar 



>jaua -jar gungan.jar 
Mesa called Jar Jar Binks! 



4 L 



JAR(JAR) || BINK polyglot 
JAR = ZIP(CLASS) 




"host/parasite" polyglots 



If a cow keeps a frog in its mouth, it can also speak 2 languages! 

(the outer leaves space for an inner) 



HEADER 




END 



Ok, I know... here is a more realistic analogy. 



...if our cow swallows a microSD, it's still a valid cow! 
Even if it contains foreign data, that is tolerated by the system. 



>c or kamix.exe 

CorkaMIX [PE] 

>jawa -jar corkamix.exe 

CorkaMIX [Java CLASS in JAP. J 

>cmp -b corkanix.exe corkanixJ.b.exe 
cnip: EOF on corkanix.exe 

>pyt)ion corkanix_ib.exe 
CorkaMIX [python] 

>copy corkanix.exe corkamix . html 
1 file<s> copied. 



2 infection chains in one file: 




0001. CONSTANT_Class : corkamix 

0002. CONSTANTJJtfS : corkamix 

0003. CONSTANT_Class : java/lang/Object 



Edit CONSTANT Utf8 



endstreamendobjl 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R] 

> >] /Resou rces « > » > 2 0 obj«>>streamBT/default 80 Tf 1 0 0 1 1 715 Tm 

(CorkaMIX BT fl ETendstreamendobjtrailer<</Root<</Pages 1 0 R»» 



Show References 



Cancel 



Save 



0015. CONST ANTJJtfS : CorkaMIX [Java CLASS in JAR] 

0016. CONSTANT_Methodref : dass: java/io/PrintStream, name: printin, desaiptor: (Ljava/lang/String;)V 

0017. CONSTANT_Class : java/io/PrintStream 

0018. CONSTANTJJtfB : java/io/PrintStream 

0019. CONSTANT_NameAndType : name: printin, desaiptor: (Ljava/lang/String;)V 

0020. CONSTANTJJtfB : printin 

002L CONSTANT UtfB : (Ljava/lang/String:)V 



0022. CONSTANT Utf3 : endstreamendobil 0 obi<</Xidsr<</Parent 1 0 R/Contentste 0 Rl > >l/Resources<<»»2 0i 



the PDF part is stored in a Java buffer 




CorkaMIX [PDF] 



corkamix.html 



JavaScript Alert 



CorkaMIX [HTML+JavaScript] 




Offset 01234567 

00000000 47 49 46 38 39 61 2F 2A 

00000010 00 00 2F 2A OA 00 00 02 

00000020 6C 65 72 74 28 22 48 65 

00000030 64 5C 6E 28 66 72 6F 6D 

00000040 69 6C 65 29 22 29 3B 



89ABCDEF 

OA 00 00 FF 00 2C 00 00 
00 3B 2A 2F 3D 31 3B 61 
6C 6C 6F 20 57 6F 72 6C 
20 61 20 47 49 46 20 66 



Ascii 

GIF89a/* ,.. <-Format data 

../* ;*/=l;a <-Format data - For.. 

lert("Hello.Worl <-Foreign data 

d\n(f rom. a. GIF. f 

ile)"); 



Ql gifjs.html 

C Q view-source:file:///S:/gif/gifjs .htm I 



1 <htrnl><body> 

2 <img src=" qif is . qif "> 

3 <script src=" cri:f is ■ qif "></ scrip t> 

4 </bodyx/htinl> 




gifjs.html 



X Q file:///S:/gif gifjs html 



^ JavaScript Alert 



22 



Hello World 
(from a GIF file) 



OK 



a JavaScript || GIF polyglot (useful for pwning - also in BMP flavor) 



i QEV„ 



! ) ! / _ \/ ! 

■ _ S Mil \ S 

! ! _) ! ) I I ! I ) ! 

I / / S / I / 

Berliner Spargel Operating System 

Mein Deutsch is nicht so gut, aber es ist Spargel zeit! 
by Travis Goodspeed 



m — Memory Uieuer 
a — About 



This is a minimal operating system by Travis Goodspeed for 16-bit Real 
Mode 8086 on an IBM PC. It was written in order to learn about the 
8086, and it quite likely uill serve no use for you. It is free 
without any strings attached, but please give credit were credit is 
due if you fork it. 

Also, and this is very important, you should use the included hex viewer 
to poke around this machine's memory. The boot sector at O0OO:7COO0 
is likely a good place to start. 
Press the 'any' key to continue. _ 




Archive: pocorgtfo02.pdf 

warning [pocorgtfo02.pdf]: 8016414 extra bytes at beginning or within zipfile 
(attempting to process anyway) 



Length 


EAS 


ACLS 


Date 


Time 


Name 


852 


0 


0 


12/06/13 


16 


25 


README . txt 


6794 


0 


0 


12/06/13 


16 


25 


coda.txt 


20164 


0 


0 


12/06/13 


16 


25 


feeling.txt 


12618 


0 


0 


12/06/13 


16 


25 


harrison.txt 


0 


0 


0 


12/06/13 


16 


25 


pgpquine/ 


275 


0 


0 


12/06/13 


16 


25 


pgpqui ne/Makef i 1 e 


1006 


0 


0 


12/06/13 


16 


25 


pgpqui ne/i nf 1 ate . c 


5323 


0 


0 


12/06/13 


16 


25 


pgpqui ne/quine.c 


203706 


0 


0 


12/06/13 


16 


25 


rfc4880.txt 


2046109 


0 


0 


12/06/13 


16 


25 


tamagotchi .zip 


15565 


0 


0 


12/06/13 


16 


25 


thewub.txt 


278598 


0 


0 


08/05/13 


13 


06 


pocorgtfo00.pdf 


3790438 


0 


0 


10/13/13 


02 


47 


pocorgtfoOl . pdf 


6381448 


0 


0 








13 files 



PoC||GTFO 0x2: MBR || PDF || ZIP 



FILE 

89683: ff U3 

83eB2: ff e8:'<size. lt> <content> 


JPEG 

"START OF TAX rWRKEH 
"ATC lAWCS 'SEOLNRCC ' C*0CR1 


PDF 


B8B14: ff fe <SlZ«.li> 
•4: XPOF-1.5 
999 • OBJ 
stream 


'COrTE.TT' MARKER 
CGrTt^T COKTEHT 


SGTAURE 

siutm; a oumy wwr OBJECT 


08639: ... 
I* : ff d9 
xx*2 : enO-stream 

mdobj 

XX* 14: xPDF-1.5 ... 


DTHB NWCEIK rXfcfWL JPFG DATA) 
TfC TFriAft-'fAlkFIt 


aDSn5 THE OUfTlY C6,£CT 

KlGIWLFTT COMTEJITS iMULTFU SGflATUJES ARE EMKDI 

*tEFL*C£D 'WITH M CC TO tVPASS *D03E "IlTER 



illW 



TVigeGrvjption-. getting valid files after encryption 

1 CONTROLLING FIRST ENCRYPTED BLOCK 



C1-EMC<P1" rv) 
IV ■ DtCiCfl " PI 



3 SKIPPING UNCONTROLLED BLOCKS 
COWTEmS 

\ 1/ s^i^aix.'.-h'imw it ii ■> •■ t< 



HI *g «K1 l*» _!?)« 

■v »r H «e Ic H ic W U 



(2) 



rra* Olw (iuk t 

ST«Tlft CCmfCUEDOAT. 



Z CONTROLLV1& EfOMG E/ICRYPTED BLOCKS 

"encku - ■ 

I 

=OEQ(?)-i 

->™EMQ.(i) - f 



ANGE ALBERTIfH 
cJEAN-PHLIPPE AUMASSON 



by Travis Goodspeed 



so a 




Archive: pocorgtfo03.pdf 

warning [pocorgtfo03.pdf]: 12224072 extra bytes at beginning or within zipfile 
(attempting to process anyway) 



Length 


EAs 


ACLS 


Date 


Ti me 


Name 


2561 


0 


0 


02/10/14 


06 


23 


al exander . txt 


7848 


0 


0 


02/08/14 


20 


20 


bochs-2.6.2.patch 


6135 


0 


0 


02/08/14 


20 


21 


bochs-20140203. patch 


7248 


0 


0 


02/09/14 


08 


35 


defusing.zip 


4830 


0 


0 


12/01/13 


15 


48 


despai r . txt 


14892 


0 


0 


11/27/13 


19 


03 


lasta.txt 


26325 


0 


0 


02/07/14 


21 


06 


lastq.txt 


473449 


0 


0 


02/07/14 


21 


06 


netwatch-337f8bl. tar .gz 


131930 


0 


0 


02/24/14 


20 


32 


noki aci pher . png 


14645 


0 


0 


02/17/14 


18 


52 


packed 


2129 


0 


0 


02/07/14 


21 


06 


saucers .txt 


3144 


0 


0 


02/07/14 


21 


06 


tamadec.txt 


6227 


0 


0 


02/07/14 


21 


06 


tetrangi i x . tar . bz2 


14109425 


0 


0 


02/07/14 


21 


06 


pocorgtfo02 . pdf 


322 


0 


0 


03/03/14 


01 


28 


pocorgtfo03-encrypt .py 


14811110 


0 


0 








15 files 



PoC||GTFO 0x3: JPG || AFSK || AES(PNG) || PDF || ZIP 



r 

L 


1 1 Ld C H_- 1 Y k_r> L 




Volumes System Favorites Tool'. ..-?ttm<i$ hklp 






Drive | Volume Encryption... Type 


*^P: d:\pocorgcfo04.pdf AE5 Normal 



Archi ve : pocorgtfo04 . pdf 

warning [pocorgtfo04.pdf]: 798586 extra bytes at beginning or within zipfile 
(attempting to process anyway) 



Length 


EAS 


ACLs 


Date 


Ti me 


Name 


0 


0 


0 


06/24/14 


IS 


56 


bi n2png/ 


5010 


0 


0 


06/24/14 


18 


56 


bi n2png/bi n2png . py 


18025 


0 


0 


06/24/14 


18 


56 


bin2png/LICENSE 


1141 


0 


0 


06/24/14 


18 


56 


bi n2png/README . md 


140413 


0 


0 


06/24/14 


18 


56 


darfsteller.txt 


2841 


0 


0 


06/24/14 


IS 


56 


gods . txt 


0 


0 


0 


06/24/14 


IS 


56 


Tenti crypt/ 


36445 


0 


0 


06/24/14 


18 


56 


lenti crypt/1 enti crypt . py 


1S025 


0 


0 


06/24/14 


IS 


56 


lenticrypt/LICENSE 


776 


0 


0 


06/24/14 


IS 


56 


1 enti crypt /README . md 


2709 


0 


0 


06/24/14 


IS 


56 


lenti crypt/test . py 


3111965 


0 


0 


06/24/14 


IS 


56 


pocorgtfo.png 


25986 


0 


0 


06/24/14 


18 


56 


theveldt.txt 


239224 


0 


0 


06/24/14 


IS 


56 


tsb-20140401.zip 


26750864 


0 


0 


06/24/14 


IS 


56 


pocorgtfo03 . pdf 


30353424 


0 


0 








15 files 



PoC||GTFO 0x4: TrueCrypt || PDF || ZIP 



pccorgtfo05.swf 



«- -> C I D file-y//Sv'pocorgtfo05iwf 

Never gonna give you up 
Never gonna let you down 

Mqwqt nnnno ri in o rr\ i inH o 



Mq\/qt n^nno ri in r*rr\\ inH o r 

by Alex Infuhr 



^1 potorgtfa05.pdf - Adobe Reader 



File Edit View Window Help 



[Q Page ThumlxuiK 



4 




PoCjj GTPO; 
1MIAU1TAMS 

if 

EARTH 
IXTKKESTIXCJ HI UJLC' IS 
ALL GOOD NKIGHBOKS 



PoC||GTFO 0x5: Flash 





Archive: pocorgtfo05.pdf 
warning [pocorgtfo05.pdf]: 
(attempting to process an 
creating: PEXternal i zer/ 
creating: PEXternal i zer/ 
inflating: PEXternal i zer/ 
inflating: PEXternal i zer/ 
inflating: PEXternal i zer/ 



PoC||GTFO 0x6: TAR || PDF || ZIP 



$ tar -tvf pocorgtfo06.pdf 
-rw-r--r-- Manul/Laphroaig 0 2014-10-06 
-rw-r--r-- Manul/Laphroaig 525849 2014-10- 
-rw-r--r-- Manul/Laphroaig 273658 2014-10- 



$ unzip -1 pocorgtfo06.pdf 
Archive: pocorgtfo06.pdf 
warning [pocorgtfo06.pdf]: 10672929 extra 
(attempting to process anyway) 



Length 



Date 



Time 



Name 



4095 


11/24/2014 


23 


:44 


64k.txt 




818941 


08/18/2014 


23 


:28 


acsacl3_ 


zadda 


4564 


10/05/2014 


00 


:06 


burn.txt 


342232 


11/24/2014 


23 


:44 


davinci . 


tgz.d 


3785 


11/24/2014 


23 


:44 


davinci . 


txt 


5111 


09/28/2014 


21 


:05 


declare. 


txt 


0 


08/23/2014 


19 


:21 


ecb2/ 





U pocorgtfo06.pdf - Adobe Reader 



File Edit View Window Help 



©a iH]/» 



66.7% 



Tools 



Sign 



PoC || GTFO; 

brings chat 

OLD TIMEY EXPLOITATION 

with a 

WEIRD MACHINE JAMBOREE 

and our world-famous 

FUNKY FILE FLEA MARKET 

not to be ironic, but because 



WE LOVE THE MUSIC! 




November 25. 2011 



Comment 



6:2 On Giving Thanks 

6:3 Dolphin Emulator Internals (PPC) 

6:4 TAR PDF Polyglots 

6:5 Pong Easter Eggs in VMWare 

6:6 Anti-Emulation tor MIPS 



6:7 Cracking AngeCryption with ECB . py 

6:8 PCD Reverse Engineering 

6:9 Davinci Self- Extractor 
6: 10 Observable Metrics 
6: 1 1 Donate to Laphroaig's Oday Charity 



Unicode // 



\u002f\u002f^t1Ttrnl> 
\u082f\u882f <body> 
\u002f\u002f <script> 

\u882f\u802f alertC Hello World! [Javascript]'); 

\u882f\u882f </script> 
\u002f\u002f </body> 
\u002f\u002f </html> 



publ i c cl ass HU 

£ 

public static void mai n(Stri ng[] args) 

£ 

System. out. println("Hello World! [Java]"); 

} 

} 



a Java || JavaScript polyglot (at source level) 



@c 


68 


74 


6D 


6C 


3E 


3C 


62 


6F 


64 


79 


3E 


3C 


73 


63 


72 






<html><body><scr 


69 


70 


74 


3E 


61 


6C 


65 


72 


74 


28 


27 


48 


65 


6C 


6C 


6F 






ipt>alert ( 'Hello 


20 


57 


6F 


72 


6C 


64 


21 


20 


5B 


4A 


61 


76 


61 


73 


63 


72 






.World! . [Javascr 


69 


70 


74 


5D 


27 


29 


3B 


3C 


2F 


73 


63 


72 


69 


70 


74 


3E 






ipt] T ) ;</script> 


3C 


2F 


62 


6F 


64 


79 


3E 


3C 


2F 


68 


74 


6D 


6C 


3E 


50 


4B 




</body></html>PK 


03 


04 


OA 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 




00 


00 


00 


00 


00 


00 


00 


00 


09 


00 


00 


00 


4D 


45 


54 


41 


META 


2D 


49 


4E 


46 


2F 


50 


4B 


03 


04 


OA 


00 


00 


00 


00 


00 


00 


-INF/PK 


00 


00 


00 


00 


00 


00 


00 


IF 


00 


00 


00 


IF 


00 


00 


00 


14 




00 


00 


00 


4D 


45 


54 


41 


2D 


49 


4E 


46 


2F 


4D 


41 


4E 


49 


. . . META-INF/MANI 


46 


45 


53 


54 


2E 


4D 


46 


43 


72 


65 


61 


74 


65 


64 


2D 


42 


FEST.MFCreated-B 


79 


3A 


20 


31 


OD 


OA 


4D 


61 


69 


6E 


2D 


43 


6C 


61 


73 


73 


y: .1. .Main-Class 


3A 


20 


48 


57 


OD 


OA 


50 


4B 


03 


04 


OA 


00 


00 


00 


00 


00 


■ ■ K\W ■ ■ P K ■■■■■■■■ 


00 


00 


00 


00 


00 


00 


00 


00 


1C 


01 


00 


00 


1C 


01 


00 


00 




00 


00 


00 


00 


CA 


FE 


BA 


BE 


00 


03 


00 


2D 


00 


16 


07 


00 




02 


01 


00 


02 


48 


57 


07 


00 


04 


01 


00 


10 


6A 


61 


76 


61 


. . . . HW j ava 


2F 


6C 


61 


6E 


67 


2F 


4F 


62 


6A 


65 


63 


74 


01 


00 


04 


6D 


/lang/Ob j ect . . .m 


61 


69 


6E 


01 


00 


16 


28 


5B 


4C 


6A 


61 


76 


61 


2F 


6C 


61 


ain. . . ( [Ljava/la 


6E 


67 


2F 


53 


74 


72 


69 


6E 


67 


3B 


29 


56 


01 


00 


04 


43 


ng/String; ) V. . .C 


6F 


64 


65 


09 


00 


09 


00 


OB 


07 


00 


OA 


01 


00 


10 


6A 


61 




76 


61 


2F 


6C 


61 


6E 


67 


2F 


53 


79 


73 


74 


65 


6D 


OC 


00 


va/lang/Sys tern. . 


OC 


00 


OD 


01 


00 


03 


6F 


75 


74 


01 


00 


15 


4C 


6A 


61 


76 


out . . . L j av 


61 


2F 


69 


6F 


2F 


50 


72 


69 


6E 


74 


53 


74 


72 


65 


61 


6D 


a/io/P rintSt ream 


3B 


08 


00 


OF 


01 


00 


13 


48 


65 


6C 


6C 


6F 


20 


57 


6F 


72 




6C 


64 


20 


21 


5B 


4A 


61 


76 


61 


5D 


OA 


00 


11 


00 


13 


07 


Id. i [Java] 



a Java || JavaScript polyglot (at binary level) 



=^ Java = JavaScript 

Yes, your management was right all along ;) 



II 



Extreme files bypass filters 



i Jr. ^ 




1 " - 



















Farmer got denied permit to build a horse shelter. 
So he builds a giant table & chairs which don't need a permit. 



%PDF-(Mltrai 1 er<</Root<</Pages<<>>>>>> 



emptyX.pdf - Adobe Reader 



(si 2S 



File Edit View Window Help 



2337% 



Tools 



Sign 



Comm 



a mini PDF (Adobe-only, 36 bytes) => skipped by scanners yet valid ! 



BFF9AF2770 

B068 

Afl 

B8 00102900 
AB 

66B8C300 
AO 

89D8 
0000 
0000 



n=Nunber Name 

65524 
65525 
65526 
65527 
65528 
65529 
65530 
65531 
65532 
65533 
65534 



no u 
3roou 
stosb 
nou 
stosd 
nou 
stosb 
nou 
add 
add 



edi,07027AFF9 ;'p J >: 
al,068 ;'h' 

eax, 000291000 — t4 

ax,000C3 ;' |-' 

eax,ebx 
[eax ] ,al 
[eax ] ,al 



UirtSize 
00007000 
00007000 
00007000 
00007000 
00007000 
00007000 
00007000 
00007000 
00007000 
00007000 



RUA 

70226000 
7022D000 
70234000 
7023B000 
70242000 
70249000 
70250000 
70257000 
7025E000 
70265000 



PhysS ize 
00000000 
00000000 
00000000 
00000000 
00000000 
00000000 
00000000 
00000000 
00000000 
00000000 



Offset 
00280200 
00280200 
00280200 
00280200 
00280200 
00280200 
00280200 
00280200 
00280200 
00280200 



Flag= 
E00000C0 
E00000C0 
E00000C0 
E00000C0 
E00000C0 
E00000C0 
E00000C0 
E00000C0 
E00000C0 
E00000C0 




[eaxl,al 



Windows 7 x64 



>65535sects .exe 
** 65535 physically identical, virtually executed sections 



a 64K sections PE (all executed) => crashes many softwares, evades scanning 



Parsing 



This is a how a user sees a cow. 




This is how a dev sees a cow. 



This is how another dev sees a cow ! 

(this one: brazilian beef cut - previous: french beef cut) 



Same data, different parsers 

it would have been too easy ;) 



II 



commented line 



% trai ler <</Root . . .>> 




trai ler <</Root . . .>> 




missing trailer keyword 



</Root ...>> 




a schizophrenic PDF: 3 different trailers, seen by 3 different readers 



ffi helloworld.pdf - Adobe Re... 



File Edit View Window Help 



Hello World! 



Printer: PDFCreator 



Properties Advanced 



Help 



Copies: 1 g 

Paget to Print 
• All 

Current page 
Page* [l 
► More Options 

Page Sizing & Handling 1 i 1 



Q5 1 Poster [J] Multiple 0 Booklet 



Size Options: 

©£* 

1 _ Actual size 

a Sin ml oversized pages 

Q Choose paper source by PDF page size 



Orientation: 

9 Auto portrait landscape 

Portrait 
'_ Landscape 

Want to print colors as gray °t black? 



® 



Page Setup... 



Com in '-ni & Forms 



Document and Markups 



Summarize Comments 



11.7x3.26 Inches 



Top Secret 



Page 1 of 1 



a schizophrenic PDF (screen printer) 




a (generated) PDF || PE || JAR [JAVA+ZIP] || HTML polyglot. 



fnf 44con-albertini.pdf - SumatraPDF 



■=■ Is) 23 



File View Go To Zoom Favorites Settings Help 



. m | Page 1 /119 + \ - (7T\ £> £> \ Find: 



Messing with 
binary formats 

44CDN 




Ange Albertini 



44 Adobe Reader 



0 S3 



Q 44con-albertini.pdf x 



G LJ file:///S:/44con-albertini.pdf < ? 0 = 



ANGE 



WORLD TIME 















I 1 1 1 1 1 1 1 1 1 1 1 1 II 1 1 1 1 1 II 1 1 1 II 1 1 1 II 



THANK VOU ADOBE* 

BUT OUR DOCUMENT IS 
IN ANOTHER VIEWER • 



S.t...... 



Adobe Reader could not open 44con-albertini.pdf because it is either not a 
supported file type or because the file has been damaged (for example, it was 
sent as an email attachment and wasn't correctly decoded). 



OK 



nV i 'i V i V i V i V 



.which is also a schizophrenic PDF 



$ du -h stringme 
141 stringme 

$ strings stringme 

Segmentation fault (core dumped) 



Extra problem: parsers can be present in unexpected places 



http://lcamtuf.bloqspot.de/2Q14/1Q/psa-dont-run-strinqs-on-untrusted-files.html (CVE-20 14-8485) 



metadata 

Who's the owner? 



A hidden cow just looks like another cow.. 




so cattle is branded. 



But brandings can be faked! 

or "patched" into another symbol 
=> attribution is hard 



an encrypted file is not always "encrypted" 
encrypt(file) is not always "random" 

encrypt(file) can be valid 



.D. A. T. A. [.1.2. 3. 4. 5. 6. 7. 8. 9. A. B 
.C.D.E.F.] .E.N.D 



.T.E.X.T0A.t.h.i.s. .i.s. .a. .t 
.e.x.t0A 



We want to encrypt a DATA file to a TEXT file. 
DATA tolerates appended data after it's END marker 
TEXT accepts /* */ comments chunk (think 'parasite in a host') 



.D. A. T. A. [.1.2. 3. 4. 5. 6. 7. 8. 9. A. B 
.C.D.E.F.j.E.N.D 




<random> 



if we encrypt, we get random result, we can't control AES output & input together. 



AES works with blocks 

File encryption applies AES via a mode of operation 



Eectronic Code Book: 

penguin = bad 




Cipher Block C i 



IPHERULOCKV^HAIfflG 
PLAINTEXT BLOCKS P1 P2 



IV 




XOR 



EMC 




EMC 



CIPHERTEXT BLOCKS C1 



C2 



C1 = EMC (P1 * IV) 

choose the IV to control P£_q (r/|) = pi " |y 
both first blocks (P1 & C1) |V \ (C1) . p/| 



.D. A. T. A. [.1.2. 3. 4. 5. 6. 7. 8. 9. A. B 
.C.D.E.F.j.E.N.D 




.T.E.X.T <something we control> 

<random rest> 



Encrypt with pure AES, then determine IV to control the output block 



.D. A. T. A. [.1.2. 3. 4. 5. 6. 7. 8. 9. A. B 
.C.D.E.F.j.E.N.D 



We can't control the rest of the garbage. 



.T.E.X.T./.* 
<ignored random rest> 



so let's put a comment start in the first block 



.D. A. T. A. [.1.2. 3. 4. 5. 6. 7. 8. 9. A. B 
.C.D.E.F.] .E.N.D 



.T.E.X.T. 


/.* 


<ignored 


random rest> 


.*./0A.t. 


h . 1 . s . . 1 . s . . 3 . . t 


. e . x . t0A 





If we close the comment and append the target file's data in the encrypted file, 
then this file is valid and equivalent to our initial target. 



. D. A. T. A. [.1.2. 3. 4. 5. 6. 7. 8. 9. A. B 

.C.D.E.F.j.E.N.D 

< pre -decrypted ignored random> 




.T.E.X.T. 


/.* 


<ignored 


random rest> 


.*./0A.t. 


h.i.s. .i.s. .a. .t 


.e.x.tOA 





...then we decrypt that file: we get the original source file, 
with some random data, that will be ignored since it's appended data. 



. D. A. T. A. [.1.2. 3. 4. 5. 6. 7. 8. 9. A. B 

.C.D.E.F.j.E.N.D 

< pre -decrypted ignored random> 




.T.E.X.T. 


/.* 


<ignored 


random rest> 


.*./0A.t. 


h.i.s. .i.s. .a. .t 


.e.x.tOA 





Since AES CBC only depends on previous blocks, 
this DATA file will indeed encrypt to a TEXT file. 



SIGNATURE OF SOURCE FILE'S FORMAT 



SOURCE CHUF1KS 



"DECRYPTED" (RAHDOfi) 
TARGET CHUMKS 

(APPENDED DATA) 



DUMMY CHUNK 
DECLARATION 



SIGNATURE OF TARGET FILE'S FORMAT 



ENCRYPTED (RANDOM) 
SOURCE CHUNKS 



TARGET CHUNKS 



BEFORE ENCRYPTION AFTER ENCRYPTION 

AngeCryption PoC layout 



00: 
10: 
20: 
30: 



00: 
10: 
20: 
30: 



4441 5441 5b31 3233 3435 3637 3839 4142 DATA[123456789AB 

4344 4546 5d45 4e44 0000 0000 0000 0000 CDEF] END 

f6fe 17cf 0802 7449 58de cdf2 f9c4 45ce tlX E. 

2e8e 6996 5854 824c c09c lb7d 4898 a29e . .i.XT. L. . . }H. . . 



openssl enc -aes-128-ch 
-K ^echo OurEnc 
-iv A37A69F134II7F 



c -nopad 

ryptionKey | xxd -p^ 
5AB3CC4A1546B97FD76 



5445 5854 2f2a 0000 0000 0000 0000 0000 
3f81 lla9 2540 ded5 096a 83c9 fl91 d8bb 
2a2f 0a74 6869 7320 6973 2061 2074 6578 
740a 454e 4400 0000 0000 0000 0000 0000 



TEXT/* 

? • • • •••^•••••a 

*/.this is a tex 
t . END 



You can even try it at home :) 



Chimera 

(if you skip identified bodies, you'll miss other files) 



zipjpg.pdf - WinRAR 



File Commands Tools Favorites Options Help 

n 



zipjpg.pdf - SFX ZIP archive, unpacked size 69,782 bytes 



Name 



Size Pac... Type 
Folder 



CRC32 



fe Corkami.jpg 69,782 69,782 JPEG Image 2A142635 



Test finished 



S3 



No errors found during test operation 



OK 



Selected 69,782 bytes in 1 file 




Total 69,782 bytes in 1 file 



a JPEG || ZIP || PDF Chimera 



14: 

18: 



168 
181 
186 



CONTENT 

69 81 82 83 84 85 86 87 88 89 8R 8B 8C 8D 8E 8F 
FF D8 86 E8 86 16 . J .F .1 . F 86 81 81 61 68 48 

w 48 aa 88 

FF FE 82 IE 

XPOF-1.4 
1 8 obj 



28 8 ob j 

<</Length 69786>> 
strean 



COMMENT SEGMENT START 

(LENGTH! 



PDF HEADER t DOCUMENT 



DUMMY OBJECT START 




endstrean 
endobj 

5 8 obj 
<</Uidth 466 
strean 



DUMMY OBJECT END 
MAGE OBJECT START 







LOCAL FILE HEADER START 
FILE NAME LENGTH 



LFH'S FILENAME 



STORED FILE DATA 



235: 




FF 


DB 8 


8 43 . . . 


MAGE DATA (DOT) 


112B5: 




FF 


D9 




END OF MAGE 


1 Idti/: 










^^HTn^rTOrTOlT^TSR^^ 

rCTSmCTLYIEQ) 


112bc: 


endstrean 








END OF MAGE OBJECT 



endobj 



24 6 obj 
strean 



81 82 

1138c: corkani.jpg 



DUMMY OBJECT START 



.P . K 




END OF DUMMY OBJECT 
XREF. TRALER 



CENTRAL DIRECTORY 
FILENAME 

K m c i 

END OF CENTRAL CUR 
LEN6TH OF COMMENT 

ARCHIVE COMMENT 



image data 



1139a: XXEOF 
X 

I13al: FF D9 



END OF MAGE MARKER 



END OF FILE 
UNE COMMENT 



(END OF COMMENT! 



a chimera defeats sequential parsing with optimization 



ii 



a Picture of Cat 

(BMP ! uncompressed ! OMG) 




BMP let us define bit masks for each color: 

32 bits: 0000000000000000rrrrrggggggbbbbb (no alpha) 

=> 16 bits of free space! 



let's play the picture! 

no, seriously :) 



0 0-1 0«2 0-3 0-4 0*5 0*6 0*7 0-8 0*9 



1«1 1«2 1«3 !• 



Consider the BMP 
as RAW 32b PCM 



store sound in the lower 16 
sound ignored by BMP 
image data too low to be ai 
store a picture encoded as s< 

o viewable as spectrogram 

p pfc 



M 




Cerbero 

same type of heads, one body 



€> 



...with an unused palette 

palette picture data = each byte is an index in the palette 



in theory, it could be used: 



□□□□□□□□□□□□□□ 
□□□□■■□□■■□□UUUU 

□□□□□□□□□□□■■■■a 



For colour types 2 and 6 (truecolour and truecolour with alpha), the plte chunk is optional. If present, it provides a 
suggested set of colours (from 1 to 256) to which the truecolour image can be quantized if it cannot be displayed directly. It 
is, however, recommended that the sPLT chunk be used for this purpose, rather than the plte chunk. 



How to make a pic-ception 

adjust each RGB value to the closest palette index 
=> store a second picture with the same data.... 

(original idea by @reversity) 



We get another picture of 
the same type from the 
same data! 



BTW, that's a barcode inception: 
a DataMatrix barcode inside a QRCode, both valid 
https://www.iseclab.org/people/atrox/qrinception.pdf 




Malicious Hashing: Eve's Variant of SHA-1 



Ange Albertini 1 , Jean-Philippe Aumasson 2 , Maria Eichlseder 3 

Florian Mendel 3 , and Martin Schlaffer 3 



This is the actual SHA-1 with only 4 of its 5 constants modified 
This doesn't give a collision in the actual SHA-1 



f |il 9 MT14. .-|||U 

{ cicdf L j= :«+ T rfrj3 

, ■ yad)¥2%!j | 
6CT |Yf q. J sa=y=j=i_r- R 



j a- 9Tym^. ^ 
n<^ n |8ya.62%PjiA 



2 colliding blocks: mostly random and unpredictable 

At most three consecutive bytes without a difference. 
Typically, in every dword, only the middle two bytes have no differences. 



_L 



9 > 

L_ 



m4 



u 



f T r lf r *5 



,C nB 8yad)¥2%! jj 1 
6 |Y Jsa=y=f R 



o- Ty |= 1 

♦n^< L F4=is+c-T rH 

I ya-62%PjiA 



JPEG signature 



Chunk marker 

- ff e5 in block 1 

- ff e6 in block 2 



Chunk length 

- c4 00 in block 1 

- e4 00 in block 2 



00000: ff d8 ff e? ?4 00 39 54 ?? 6d 04 2e ?? b7 b2 ?? 

?? 08 cf ?? ?? 46 d4 ?? ?? 0a 05 ?? ?? cb e2 ?? (contains no Oxff) 

?? 87 fc ?? 38 98 83 ?? ?? 32 ac ?? ?? 6a a8 ?? 

?? 43 If ?? ?? 66 87 f5 ?? 85 f7 ?? ?? lc a9 ?? 



0c404: ff fe b5 e9 
0e404: ff e0 



<COMment chunk covering Image 1> 
<start of Image 1> 



ff d9 
179ed: ff e0 
Ib0d7: ff d9 



<end of Image 1> <end of comment> 
<start of Image 2> 
<end of Image 2> 



Abusing JPEG's multiple unused APPx (FF Ex) markers 




>crypto_hash *.jpg 

fbdl847acl342acb9c52c30f4b477997938a4a0a -klose. jpg 
fbdl847acl342acb9c52c30f4b477997938a4a0a *messi . jpg 



Much better! (images chosen at random) 




a polyglot collision (multiple use for a single backdoor) 




Pwnie award... for the best song! err... what is it pwning exactly ? 



Title 
Artist 

<C) 
Mo 



"SSL Smi lea Song :->' 



"Mel issa E 1 1 i ott'i 



'2614 0xabadld*ea" 



00 



j'RCS VRC7 FDS Mti1C5 N196 SN5B 



Keyboard 




IIJIIIJIIJIIIJLJLIJIIJLU 



II 



SL Smiley Song : 
->" xPDF-1.5B<"M 
elissa Elliott" 
09 0 obj «»/."2 
014 Sxabadldea" 

BstreanH "*A 
N 

of op 'jiflfiflEJaiOiS 
a>*V 6 ¥ BV *¥ * 

. Ql a/fetta^ 
N^J7^An^ s » u ,fib♦ 1, 
-So*- My&-0MaO e 

afla*a^ 'a epNfln* 

tu*o*if* 1 OuldO" 
dB-^E* OuLRur ¥d 
&-♦ KT OUld^dO 
-L*"0 r «dO OULRLi 
Oil 0ui*H 0ui>b*h 
b* l "yQ0E«gOi-lOMn 
QEcllTeM 0{|"eMEO 
Oil 1 Oui»[j "g"yB> 
8¥yO 0Li*B2^GOc s # 
{|!!ft¥3S¥28!|%¥FO¥ 
<0{|§A¥=e >afi/»8* 
£<5 1J yBO0¥yOL||u 1J yO 
>"0K¥yB Oil 1 OUx* 
n u 9 L, yO>^yO OlT 
cMP^yBogMyO OlT 

Oui*jj u 9 u yO> 2 My 
8 Ou'VoOScflyiVQB 
{IziV^yQOQMyQ 0 
Li 1 Oiii^jj u 9 u yQ>R5 
¥yO Ou l ¥xa0cO?iM 
AOjjeiMTSUyeo&yO 

OLi 1 0lii+¥i6 Olii 
♦¥iO 0ui*¥aO Oii x 
»a* Oiii*a Oiii*a 
0 Oii i*6 u -# Ou* 

0lii*¥aO 0iT u yO> 



Smiley Song 



h the cloud 

link 
rowd 
ink! 



Dashin 
On a ten 
One packet 
Falls into the 
Draw a smiley 
On the diagram 
Suck up data, leave 
4l's all for Uncle Samt 





}o* Montana >ooll. ill 



ADVENTURE GAMES: 





MMh.rl j*<h»»n't M<XM*w*lk.» 




Pal RiUyBaUtel&mi 



STRATEGY GAMES: 




Cvlumnt 



Get the hottest new video games going. Arcade, sports, adventure, strategy 
and action hits available only on the 16-bit Genesis System by Sega.* 

Today's latest blockbuster arcade hits like Super Monaco GR" Climb into the 
cockpit of the world's fastest Grand Prix machines as you race wheel to wheel 
through the streets at over two-hundred miles per hour. Or take on the evil 
villain Mr. Big in Michael Jackson's Moonwalker as you use dance-kicks, hat- 
tricks and finally transform into a powerful robot that docs it aJL Or become 
a Cybercop in E-SWAF and clean up the city besieged by mad terrorists. 

Get ready for the most action-packed sports games ever In joe Montana 
Football,' check out the defense, make the call, fake a pass and scramble for a 
touchdown. Or force your opponent to move inside your left hook and nail 
him with an uppercut that puts him on the mat in james " Buster" Douglas 
Knockout Boxing.' Or in Pat Riley Basketball; get the ball with seven seconds 
left in the game, drive the length of the court, slam-dunk and draw the foul 
which you make to break the tie. 

In The Sword of Nfermiliorv make your way through 14 towns and 14 mazes 
in this adventure thriller where encounters with the evil demons are played in 
real time on the hand controller And dazzle your friends with your skills on the 
puzzle game Columns." Or become the ultimate 
commando warrior in Dynamite Duke* as 
you blast the enemy from an over- 
your- shoulder first person view. M 

There's only one true 16-bit 1 
system and it's got the hottest W 
video game hits gojn^fouean^^^ 
only play these on Genesis by Sega. 
Genesis does what Nintendo n. 



tfcL 



u remember this ? 



I ll¥l» 

Sega' 



snes_md.pdf - Adobe Reader 



File Edit View Window 



GENESIS DOES , 
WHAT NINTENDON'T. 



G«th«hotwnn«»«)eo pmes <o«nj Arcacfc sports. acVertur*. «n«si 
and acoon ho xaJaae onlf on the 16-bit Genets Sy«em IV Sep" 

todays latest blockbuster arcade ties Ike Vper Monaco GP" Clmb rito the 
cockp* of the workfs bars Grand rYbt machr«s as yc* race wheel to «ir»< ' 
through the MM ■ <«er roo-hundr«d mtes per hour O ufce on the «•« 
vibn Mr 8* n MeMel)»ck«)rs Moonwafar- as you use dance-kdtv hat- 
trrlu and firufly transform Into a povnerijl robot due docsitdl Obecone 
a Cybmop in E SAW 1 and clean up the city bc*ci>ed by -ad ttrnKm 

Get ready for the most acravpacksd spora pma Mi kljM Muiuiia 
Fr--rh.il rrr; < a j' l)< deft"K, ' 



A Super NES & Megadrive rom 
(and PDF at the same time) 




Conclusion 



Ange's recipes :) 



Never forget to: 

• open your PDFs in a hex editor 

• open your pictures in a sound player 

• run your documents in a console emulator 

• encrypt/decrypt with any cipher 

• double-check what you printed 



Security advice: 

DON'T * 

It's easy to blame others - new insecure paths appear everyday 



Research advice: 

DO* 

PoC||GTFO ! stop the marketing! cheap blamers o blatant marketers? 



F.F.F. conclusion 



• many abuses of the specs 

o specs often are wrong or misleading 

• few parsers, even fewer dissectors 

• standard tools evolve the wrong way 

o try to repair 'corrupted' file outside the specs 
o standard and recovery mode 



For technical details, check my previous talks. 



ACK 



@doegox @pdfkungfoo @veorq @reversity 
@travisgoodspeed @sergeybratus qkumba 
@internot @gynvael @munin 
@solardiz @Oxabadidea @ashutoshmehra 

lytron @JacobTorrey @thicenl 

...and anybody who gave me feedback! 



Bonus 



after the talk, we tried some PoCs on professional 
(very expensive!) forensic softwares: 

• polyglot files 

o a single file format found + no warning whatsoever 

• schizophrenic files: 

o no warning yet different tabs of the same software showing 
different content :D 

BIG FAIL - yet we trust them for court cases ? 



^fc abstract.tar - Adobe Reader 



File Edit View Window Help 



, 1 



2333% 



Tools 



Sign 



Commei 




E 



abstract.tar - WinRAR 



File Commands Tools Favorites Options Help 



Name 



Binary tricks to evade identification detection to exploit encryption and hash collis 



E3»"C Selected 0 bytes in 1 file 



Total 0 bytes in lfih 



** 

*this is a valid . . 



Albertini 



. . .TAR & Adobe PDF 
PoC or 



/ 



/ \ 



\ I LI LI \_/ L 



%PDF-1. 

trailer<</Root<</Pages<<>>>>>> 



The initial abstract of this talk: 
ASCII-only, PDF/TAR polyglot 



Uatne Uptions I 60X1 




Solar Designer made a great keynote - that's actually a real game to play! 
But one have to load and play through the game - not so accessible! 
http://openwall.com/presentations/ZeroNiqhts2Q14-ls-lnfosec-A-Game/ 



A game by Solar Designer (@solardiz) 
for ZeroNights 2014 (Moscow, Russia) 
written in 1994-95 ("code"), 2014 ("data") 
(includes pre- 1994 library code and fonts) 



http://www.openwall.com/zn2014 



PDF/ZIP by Ange Albertini (@angealbertini) 



a PDF: 

• containing the game as ZIP 

• hand-written 

o with walkthrough's screenshots 

(in original resolution) 
o a lightweight title 
o while maintaining compatibility 
a good way to distribute as a single file! 



$ unzip -t ZeroNights2014-Is-Infosec-A-Game.pdf 
Archive: ZeroNights2014-Is-Inf osec-A-Game . pdf 

warning [ZeroNights2014-Is-Infosec-A-Game.pdf]: 6381506 extra bytes 
(attempting to process anyway) 

testing: ZN14GAME/ OK 
testing: ZN14GAME/C0MM0N/ OK 



Quine 

prints its own source 



/;this is a type 
-able PE quine P 
E:JQ;a working P 
E file, made ent 
irely in assembl 
y^w^Jwiorieeji 

I c -T Windows XP 



c C:\WINDOWS\system32\cmd.exe 



;this is a type-able PE quine PE: 
; a working PE file, made entirely 
ded, which it displays on executic 
;you can do it manually uia 'type 

;Ange Albertini, BSD Licence, 2011 

I MAGEBASE equ 4 00000 h 




Most quines aren't very sexy 

Using a compiler is cheap :p 



Quine Relay 

A prints B's source 
B prints A's source 



>ver 

Microsoft windows [Version 6.1.7601] 




191 


dev@nux:~$ unane 
Linux 




>shalsum relay.exe 

C46307a2faec73902bc70e0d7e89a2f412935eb9 


*relay .exe 




dev@nux:~$ shalsun relay 
If6594a24e593e32b490c83d4112c9ca7237a553 


relay 


>relay.exe > relay. asm 






dev@nux:~$ ./relay > relay. asm 




>yasm -o relay relay. asm 






dev@nux:~$ yasn -o relay.exe relay. asm 




>shalsum relay 

If6594a24e593e32b490c83d4112c9ca7237a553 


*relay 


HBIHI 


dev@nux:~$ shalsun relay.exe 
c463G7a2faec73902bc7Ge0d7e89a2f412935eb9 


relay.exe 



a PE o ELF quine relay 
(no linker) 



o 

o O 9, 2 3 a* & 




* 3 < ° I 



T AT 



a 50-languages quine relay 
https://qithub.com/mame/quine-relay 



RSA 



SECURITY 



W Adobe 



• --i : ■ ■• - •- 




other AngeCryption PoCs (PDF, PNG, JPG) 




A bit of everything 



@angealbertini 
corkami.com 



